Control: tags 1122030 + patch Control: tags 1122030 + pending
Dear maintainer, I've prepared an NMU for python-urllib3 (versioned as 2.5.0-1.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should cancel it. Testing on debusine: https://debusine.debian.net/debian/developers/work-request/305130/ Note I did not address as well #1122029, as this will need an update brotli in unstable. Regards, Salvatore
diffstat for python-urllib3-2.5.0 python-urllib3-2.5.0 changelog | 8 ++++ patches/CVE-2025-66418.patch | 75 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 84 insertions(+) diff -Nru python-urllib3-2.5.0/debian/changelog python-urllib3-2.5.0/debian/changelog --- python-urllib3-2.5.0/debian/changelog 2025-08-18 12:19:44.000000000 +0200 +++ python-urllib3-2.5.0/debian/changelog 2026-01-03 20:00:44.000000000 +0100 @@ -1,3 +1,11 @@ +python-urllib3 (2.5.0-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Unbounded number of links in the decompression chain (CVE-2025-66418) + (Closes: #1122030) + + -- Salvatore Bonaccorso <[email protected]> Sat, 03 Jan 2026 20:00:44 +0100 + python-urllib3 (2.5.0-1) unstable; urgency=medium * Team upload. diff -Nru python-urllib3-2.5.0/debian/patches/CVE-2025-66418.patch python-urllib3-2.5.0/debian/patches/CVE-2025-66418.patch --- python-urllib3-2.5.0/debian/patches/CVE-2025-66418.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-urllib3-2.5.0/debian/patches/CVE-2025-66418.patch 2026-01-03 19:56:14.000000000 +0100 @@ -0,0 +1,75 @@ +From: Illia Volochii <[email protected]> +Date: Fri, 5 Dec 2025 16:41:33 +0200 +Subject: Merge commit from fork +Origin: https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8 +Bug-Debian: https://bugs.debian.org/1122030 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-66418 + +* Add a hard-coded limit for the decompression chain + +* Reuse new list +--- + changelog/GHSA-gm62-xv2j-4w53.security.rst | 4 ++++ + src/urllib3/response.py | 12 +++++++++++- + test/test_response.py | 10 ++++++++++ + 3 files changed, 25 insertions(+), 1 deletion(-) + create mode 100644 changelog/GHSA-gm62-xv2j-4w53.security.rst + +diff --git a/changelog/GHSA-gm62-xv2j-4w53.security.rst b/changelog/GHSA-gm62-xv2j-4w53.security.rst +new file mode 100644 +index 000000000000..6646eaa3a6c0 +--- /dev/null ++++ b/changelog/GHSA-gm62-xv2j-4w53.security.rst +@@ -0,0 +1,4 @@ ++Fixed a security issue where an attacker could compose an HTTP response with ++virtually unlimited links in the ``Content-Encoding`` header, potentially ++leading to a denial of service (DoS) attack by exhausting system resources ++during decoding. The number of allowed chained encodings is now limited to 5. +diff --git a/src/urllib3/response.py b/src/urllib3/response.py +index 4ba421369f87..069f726cb85a 100644 +--- a/src/urllib3/response.py ++++ b/src/urllib3/response.py +@@ -306,8 +306,18 @@ class MultiDecoder(ContentDecoder): + they were applied. + """ + ++ # Maximum allowed number of chained HTTP encodings in the ++ # Content-Encoding header. ++ max_decode_links = 5 ++ + def __init__(self, modes: str) -> None: +- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")] ++ encodings = [m.strip() for m in modes.split(",")] ++ if len(encodings) > self.max_decode_links: ++ raise DecodeError( ++ "Too many content encodings in the chain: " ++ f"{len(encodings)} > {self.max_decode_links}" ++ ) ++ self._decoders = [_get_decoder(e) for e in encodings] + + def flush(self) -> bytes: + return self._decoders[0].flush() +diff --git a/test/test_response.py b/test/test_response.py +index 9592fdd94052..d824ae70b41b 100644 +--- a/test/test_response.py ++++ b/test/test_response.py +@@ -847,6 +847,16 @@ class TestResponse: + assert r.read(9 * 37) == b"foobarbaz" * 37 + assert r.read() == b"" + ++ def test_read_multi_decoding_too_many_links(self) -> None: ++ fp = BytesIO(b"foo") ++ with pytest.raises( ++ DecodeError, match="Too many content encodings in the chain: 6 > 5" ++ ): ++ HTTPResponse( ++ fp, ++ headers={"content-encoding": "gzip, deflate, br, zstd, gzip, deflate"}, ++ ) ++ + def test_body_blob(self) -> None: + resp = HTTPResponse(b"foo") + assert resp.data == b"foo" +-- +2.51.0 + diff -Nru python-urllib3-2.5.0/debian/patches/series python-urllib3-2.5.0/debian/patches/series --- python-urllib3-2.5.0/debian/patches/series 2025-08-18 12:19:44.000000000 +0200 +++ python-urllib3-2.5.0/debian/patches/series 2026-01-03 19:56:35.000000000 +0100 @@ -1 +1,2 @@ test_http2_probe_blocked_per_thread-requires_network.patch +CVE-2025-66418.patch
